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REMARKS/ARGUMENTS 

Applicants would like to thank the Examiner for courtesies extended during the 
telephonic interview of June 9, 2006. During the interview, Applicants 1 representative and the 
Examiner discussed the claimed invention and cited art. No agreement was reached regarding 
patentable subject matter. 

The Examiner rejects claims 38-39, 47-51, 53-54, 61-66, 68-70, 75 and 76 under 35 
U.S.C.§103(a) as being unpatentable over Hankinson et al. (U.S. 6,799,202) in view of Williams 
(U.S. 6,304,973); claims 42, 43, 46, 57-58, 72 and 74 under 35 U.S.C.§103(a) as being 
unpatentable over Hankinson- Williams in view of Schmeidler (U.S. 6,763,370) and Kekic et al. 
(U.S. 6,763,370); claims 40, 41, 44-45, 55-56, 59, 60, 71, and 73 under 35 U.S.C.§103(a) as 
being unpatentable over Hankinson- Williams and further in view of Kekic et al.; and claims 52 
and 67 under 35 U.S.C. § 103(a) as being unpatentable over Harkinson- Williams and further in 
view of Sato et al. (U.S. 6,748,446) and Burkett et al. (U.S. 6,671,853). 

Applicant respectfully traverses the Examiner's rejection. Independent claims 38, 53, and 
69 are patentable over the cited references for at least the features highlighted below in the 
claims: 

38. An arrangement for serving information requests, comprising: 
a plurality of informational servers connected to a communications network, all of 
the informational servers having a common address on the communications network and 
serving a set of information to clients, each of the informational servers being configured 
to receive a transaction request associated with an individual transaction and to provide a 
response to each transaction request; and 

a content director connecting the informational servers to the communications 
network and distributing transaction requests among the informational servers 
comprising: 

a flow switch that parses plain text transaction requests to locate selected 
packet payload fields, selects, based on the plain text packet payload fields, an 
appropriate informational server to service each transaction request, and thereafter 
forwards at least portions of the parsed transaction requests to a selected one of the 
informational servers; and 

a cryptographic module that decrypts, prior to parsing and informational 
server selection by the flow switch, cipher text transaction requests and provides plain 
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text transaction requests to the flow switch, wherein, prior to decryption, the cipher text 
transaction requests have not been routed by another flow switch, 

53. In an arrangement comprising a plurality of informational servers 
connected to a communications network, all of the informational servers having a 
common address on the communications network and serving a set of information to 
clients, each of the informational servers being configured to receive a transaction request 
associated with an individual transaction and to generate a corresponding response to the 
transaction request, at least one of the request and response including a packet payload 
tag identifying uniquely the responding informational server and being an identifier other 
than an electronic address, and to provide a response to each transaction request, a 
method for serving transaction requests from clients, comprising: 

a cryptographic module decrypting a cipher text transaction request to provide a 
plain text transaction request to a first flow switch, the plain text transaction requests 
comprising the payload tag; 

the first flow switch parsing the plain text transaction request to locate one or 
more selected fields including the payload tag; 

the first flow switch, based on the one or more selected fields, selecting an 
appropriate informational server to service the transaction request; and 

the first flow switch thereafter forwarding at least portions of the plain text 
transaction request to a selected one of the informational servers, wherein the cipher text 
transaction request is decrypted prior to the parsing and selecting steps. 

69. An arrangement for serving information requests, comprising: 
a plurality of informational servers connected to a communications network, all of 
the informational servers having a common address on the communications network and 
serving a set of information to clients, each of the informational servers being configured 
to receive a transaction request associated with an individual transaction, to generate a 
corresponding cookie identifying uniquely the generating informational server, and to 
provide a response to each transaction request; and 

a content director connecting the informational servers to the communications 
network and distributing transaction requests among the informational servers 
comprising: 

first flow switching means for (a) parsing plain text transaction requests 
to locate selected fields including a generated tag, the tag being shorter than the cookie, 
uniquely identifying an informational server, and being an identifier other than an 
electronic address, (b) selecting, based at least in part on the generated tag, an 
appropriate informational server to service each transaction request, and (c) thereafter 
forwarding at least portions of the parsed transaction requests to a selected one of the 
informational servers; 
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decrypting means for decrypting, prior to parsing and informational 
server selection by the first flow switching means, cipher text transaction requests and 
providing plain text transaction requests to the first flow switching means, wherein, 
prior to the decrypting function, the cipher text transaction request has not been directed 
to a flow switching means other than the first flow switching means. 

Conventional web switches have difficulty maintaining transaction coherency when a 
communication session with a client transitions from plain text (unsecured) to encrypted (secure) 
modes. To protect client/server communications from eavesdropping, tampering and message 
forgery, the Secure Sockets Layer (SSL) protocol is frequently used to transport secured 
messages. The cookie in encrypted communications is also encrypted. When a transaction 
transitions from plain to cipher text, a new session ED is assigned to the transaction. Because the 
payload of the packet is encrypted, web switches assume that the next packet received from an IP 
address after the transaction becomes encrypted is a part of the immediately preceding clear text 
session with the same IP address. This assumption is not always correct. Many users, such as 
users behind a firewall or subscribers to an internet service such as Megaproxy™ offered by 
America On Line, can have the same global IP address. The encrypted sessions of such users 
can be crossed by the web switch, resulting in customer dissatisfaction and lost business. Web 
switches can also require excessive amounts of computational resources and otherwise suffer 
from computational inefficiencies. 

In one embodiment, the present invention overcomes this problem by positioning a 
cryptographic module between the communications network and the IP switch to selectively 
trans-crypt data within a secure HTTP transaction between a client and the network flow switch. 
The cryptographic module decrypts the packet before the packet is otherwise processed {e.g., 
parsed) by the network flow switch and thereby identifies embedded destination and/or source 
invariants in the cipher text portion of the packet. Frequently requested content can thereby be 
efficiently segregated and cached even among a cluster configuration of network flow switches. 
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Hankinson et al. 

Hankinson et al. is directed to a high speed server in which different functions of the 
server's state machine are distributed across a plurality of processors running a plurality of 
operating systems. The web server has a number of members categorized into member classes. 
Each member class has a distinct specialized operating system that is optimized for its function. 
Load balancing (such as is performed by a traffic manager prior to routing by the flow switch) is 
performed without regard to the message contents prior to transmission of a message to a 
dispatcher 720 (col. 17, lines 41-50). With reference to Fig. 7 and col. 21 , line 64-col. 22, line 8, 
an encrypted message is transferred from a receiver 745 (or input) to a dispatcher (or switch) 720. 
Dispatcher 720 then sends the message to another dispatcher 725 over a private connection 730. 
Dispatcher 725 then sends the message to a decoder 735, which decodes the message and returns 
the decoded message to dispatcher 725. Dispatcher 725 then sends a message identifying the 
location of the requested data to one of responders 740, and the responder 740 retrieves and 
sends the information to a decoder 735 for encryption and subsequently forwards an encrypted 
response, containing the encrypted information, to the client. 

Hankinson et al. teaches the routing of the encrypted message first from a receiver 745 
(which performs an initial analysis of the message) to a first dispatcher 720 and second from a 
first dispatcher 720 to a second dispatcher 725 before the message is decrypted. In contrast, the 
claimed invention of claims 1 and 69 decrypts the message before it is initially routed by a 
switch, such as the receiver. The Examiner himself concedes that "Hankinson does not disclose 
encryption/decryption performed within the network interface and decryption completed prior to 
being routed by another flow switch." (Office Action at page 5.) Accordingly, Hankinson et al. 
fails to address the problem noted above, namely how to distinguish transaction requests from 
different clients having a common address on the communications network. 

Hankinson et al. does not teach a tag, other than an electronic address, that identifies 
uniquely the generating informational server among the various servers in the server farm let 
alone positioning such a tag in the encrypted packet payload. The Examiner, however, contends 
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that Hankinson discloses the usage tag information used in selection of an informational server to 
process a request (see Harkinson, col. 11, lines 59-67; tag mode, packet payload (message 
information), message information utilized for server selection, two consecutive messages 
processed by same switch). (Office Action at pages 2-3.) Hankinson states at col. 11, lines 59- 
67: 

Typically the networking code of the operating system is responsible for processing the 
IP address and TCP port number of an incoming packet in order to determine if the 
packet belongs to a new or existing connection, and to determine the appropriate 
application to send the data to. Other data in the message (for example, a host name) 
may need to be searched by the application (for example, an HTTP Web server) in order 
to process the incoming packet. 
(Emphasis supplied.) The Examiner appears to be analogizing the tag of the present invention 
with the electronic address (e.g., IP address and TCP port number) of the above paragraph. 
Moreover, the address information is contained in the packet header, which, in encrypted 
communications, is typically plain text, and not in the packet payload, which, in encrypted 
communications, is encrypted. 

The remaining references fail to overcome the deficiencies of Hankinson et al. 

Williams 

Williams is directed to a security network 10 having a dedicated Network Security 
Controller (NSC) 12, workstations 14 and servers 16. The NSC 12 permits a security officer to 
configure and audit the operation of secure network 10. The network 10 also has security 
devices 18 installed between each host (workstation 14 or server 16) and the local area network 
medium 20. The various LANs 5 are connected to an untrusted backbone net 30 by a router 22. 
The security device 18 operates at the network layer 3 of the protocol stack and provides 
encrypted, controlled communications from one host (IP address, TCP UDP port) to another. 
Each security device enforces a mandatory access control (MAC) policy and discretionary access 
control (DAC) on the packet flow to and from a host. It ensures labeling of all packets with a 
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hierarchical security level and a set of non-hierarchical security categories. Finally, the security 
device 18 uses encryption to provide secrecy and communications integrity on all selected 
connections. Communications integrity mechanisms include keyed message digests, secure host 
algorithm, and message authentication code. All network communications pass through the 
security device 18 to access the network. In other words, the security device encrypts all 
messages automatically. The headers (IP, IPSec, CIPSO label, and cryptographic headers) are in 
clear text while IP data (i.e., TCP or UDP headers and data) are encrypted. 

When a packet is received by the security device, it is placed in local RAM and MAC, 
DAC, decryption, and packet integrity functions are performed. For packets satisfying both 
discretionary and mandatory access control, the packet is decrypted using traffic key for source EP 
address, and the security device maps the packet out of the board memory and into the host 
(server) memory for provision to a workstation. 

Williams is directed to an enterprise network comprising a server and client workstations 
and not to a server farm. Williams also fails to say how mapping to host memory is performed; 
that is, Williams fails to disclose what fields are considered in mapping. Williams does not teach 
routing the decrypted packet to a switch for further routing to an information server. Moreover, 
Williams does not teach the use of a packet payload tag identifying a target information server 
for use in routing the packet. 

Schmeidler et al. 

Schmeidler et al. is directed to a system for secure delivery of on-demand content over 
broadband access networks that uses servers and security mechanisms to prevent client processes 
from accessing and executing content without authorization. A briq is mapped into a directory 
and file where it is stored in memory. In this manner, file system 1008 functions as an interface 
between the network request from the SCDP system and the memory 1050. Fig. 12 diagrams a 
briq. A briq 1200 includes a briq header 1202, a cryptoblock 1204, a superblock 1206, and one 
or more titles 1208A-N. A URN is a unique identifier of a title within a briq. The URN can 
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correspond exactly to the current location of the title in the vendor's storage server. A URL 
identifies the current location of the briq in a RAFT storage server. 

Kekic et al. 

Kekic et al. is directed to a client-server management system using a combination of 
event rules and an event engine. In response to a selected event, a predetermined management 
action is undertaken. 

Sato et al. 

Sato et al. is directed to a communication apparatus, a communication system, and a 
communication method for relaying and receiving data from an information source which 
presents data services such as video data services via a network such as Internet. With this 
configuration, the service data can be dynamically changed and a digest corresponding to such a 
change can be presented. Also with this configuration, a communication apparatus, a 
communication system, and a communication method are provided which are capable of 
reducing the load of the whole network and relaying and receiving data at high efficiency. 

Burkett et al. 

Burkett et al. is directed to a method, system, and computer-readable code for a technique 
with which documents encoded according to the Extensible Markup Language (XML) notation 
or a derivative thereof can be more efficiently processed by selectively streaming document 
fragments. This selective streaming technique comprises identifying the static and the changeable 
portions or fragments of a document. The static fragments are written to a serialized binary 
format (i.e. a serialized binary stream), such as a disk file, thereby avoiding the re-parsing of this 
information when reconstituting a Document Object Model (DOM) tree for the document. 
Volatile fragments, on the other hand, remain in the XML or derivative notation when written to 
an output file. 

Accordingly, the independent claims are allowable. 

The dependent claims provide further reasons for allowance. 
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By way of example, dependent claim 39 requires first and second encrypted transaction 
requests to be received from different clients having a common electronic address and served 
substantially simultaneously by different informational servers; at least some of the responses to 
include a cookie and a tag; the cookie to be generated by the previously selected informational 
server; the tag to be generated by the content director; the tag to identify uniquely a 
corresponding informational server previously selected to service transaction requests from the 
client; the tag to be independent of an electronic address associated with the corresponding 
informational server; and the flow switch to use the tag in the parsed plain text equivalent of 
each transaction request to select an appropriate informational server to service each of the first 
and second transaction requests. Dependent claim 47 further requires the tag to be independent 
of an electronic address associated with the corresponding informational server. 

Dependent claims 40, 44, 45, 55, 59-60, 71, and 74 are directed to a hot table identifying 
information frequently requested from informational servers. The Examiner points to Hankinson 
et al. to support the rejection of these claims. Hankinson et al. discloses the use of tables of TP 
addresses and host names to determine if the packet belongs to a new or existing connection and 
the appropriate application to send the packet to. Nowhere does Hankinson et al. state that the 
table tracks frequency of requests directed to selected information let alone a hit counter 
associated with the information. The same is true for Kekic et al. At col. 27, lines 12-18, Kekic 
et al. simply discloses the use of a threshold to determine if a rule is applicable and a specified 
action must be performed. 

Dependent claims 42-43, 46, 57-58, 61, 72, and 75 are directed to the use of a digest 
value, for frequently requested information, to point to a location in the hot table where objects 
regarding the information are stored. Although hashing is referenced at col. 18, lines 44-51, of 
Schmeidler, the hash code and an encryption key are used to digitally sign a launch string. The 
hash code is not related to a stored location of an object. It is a quantum leap to say that it is 
obvious, based on this teaching, to use a digest value to point to a location in the hot where 
objects regarding the information are stored. 
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Dependent claim 54 requires first and second encrypted transaction requests to be 
received from different clients having a common electronic address; the requests to be served 
substantially simultaneously by different informational servers; at least some of the responses to 
include a cookie and payload tag; the cookie to have been generated by the informational server 
previously assigned by the first flow switch to service transaction requests from the client; and 
the packet payload tag to identify the previously assigned informational server; the payload tag to 
be an identifier other than an electronic address associated with the respective serving 
informational server; and the first flow switch to use at least one of the cookie and tag in the 
parsed plain text equivalent of each transaction request to select an appropriate informational 
server to service each of the first and second transaction requests. 

Dependent claim 70 requires first and second encrypted transaction requests to be 
received from different clients having a common electronic address and served substantially 
simultaneously by different informational servers; at least some of the responses to include a 
cookie and a generated tag, the cookie to be generated by the informational server previously 
assigned by the first flow switching means to service transaction requests from the client; the 
generated tag to be independent of an electronic address associated with the informational server 
generating the tag and cookie content; and the first flow switching means to use at least one of 
the cookie and tag in the parsed plain text equivalent of each transaction request to select an 
appropriate informational server to service each of the first and second transaction requests and 
wherein the generated tag is in the packet payload. 

Dependent claims 49-52, 64-68, and 76 are directed to the switch tagging responses being 
forwarded to clients. Dependent claims 52 and 64 require the flow switch to operate in the 
taggging and digesting modes at different times. Hankinson et al. fails to teach or suggest both 
tagging and digesting let alone at different times. 

Applicant wishes to clarify the intended meaning of certain claim language in light of the 
Federal Circuit decision " SuperGuide Corporation v. DirecTV Enterprises. Inc.. et al.. 358 F.3d 
870 (Fed. Cir. 2004). In that decision, the Federal Circuit held, under the unique facts of that 
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case, that the phrase "at least one of a desired program start time, a desired program end time, a 
desired program service, and a desired program type" means "at least one of a desired program 
start time, at least one of a desired program end time, at least one of a desired program service, 
and at least one of a desired program type". 

Applicant has used the phrases "at least one of . . . and" and "and/or" in a number of 
claims and wishes to clarify to the Examiner the proper construction of this phrase. Applicant 
intended the phrases "at least one . . and" and "and/or" as used in the claims to be an open-ended 
expression that is both conjunctive and disjunctive in operation. For example, the expressions 
"at least one of A, B and C" and "A, B, and/or C" mean A alone, B alone, C alone, A and B 
together, A and C together, B and C together, and A, B and C together. Applicant believes that 
this construction is consistent with the Examiner's construction of the claims in the Office 
Action. If the Examiner disagrees with this construction, Applicant respectfully requests that the 
Examiner notify Applicant accordingly so that Applicant can further amend the claims. 

Based upon the foregoing, Applicants believe that all pending claims are in condition for 
allowance and such disposition is respectfully requested. In the event that a telephone 
conversation would further prosecution and/or expedite allowance, the Examiner is invited to 
contact the undersigned. 



Respectfully submitted, 



SHERIDAN ROSS P.C. 




Douglas W. Swartz s - 
Registration No. 37,739 
1560 Broadway, Suite 1200 
Denver, Colorado 80202-5141 
(303) 863-9700 
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